Our lives are being transformed by digital innovations. New online tools and digital services are making tasks in our work and personal lives easier and more efficient. But in order to benefit fully from this digital revolution we need to get the security aspects right. Businesses in particular are losing too much time and money to cyber crime. So I want to explain what the government is doing about it – and how businesses can help.
Little over ten years ago it would have been hard to imagine the scale of online commerce we see today. UK citizens are Europe’s biggest online shoppers, with 79 per cent of people making an online purchase in the past year and e-commerce worth over £557bn. The proportion of business now carried out online is astonishing. But I think we have adapted to this new world surprisingly quickly, particularly so in business. The modern love for digital makes it now routine for businesses to send and receive invoices online, to make payments online, to send sensitive data via email, and to operate services via the web. In fact, such is the ease of use that it’s easy to forget the need to be aware of security.
We are generally happy to punch in passwords and click our way through websites when we’re under pressure to get on quickly with the job in hand. Complacency and indifference towards the problem is part of the risk. Indeed, many businesses aren’t even aware they have been attacked – until, perhaps, their database appears online and their customers start receiving hundreds of spam emails.
The scale of cyber crime is vast. Just as useful services have moved online, so has a wide range of activity from the criminal world. It’s difficult to put a figure on the cost to UK industry, but we suspect it is in the tens of billions of pounds.
We know from the government’s annual Information Security Breaches Survey that 69 per cent of large organisations and 38 per cent of small businesses were attacked by an unauthorised outsider in the past year. This can come in many forms: theft of data, theft of money or intellectual property, damage or disruption to computer systems.
If you run a business, it’s easy to think everything is all right because you’re unlikely to be a target. Hackers are after the money and the banks, right? The truth is that most businesses hold information likely to be of value, such as customer details or commercial data. And much of the criminality we see online is automated.
It may not necessarily be a hacker specifically targeting your business. Instead, they’ve set literally thousands of traps, in emails and on websites, and they’re waiting to pounce when one of your staff clicks on a malicious link or opens a questionable email attachment.
Once your business is exposed you are open to a range of threats, such as theft of money and data. We’ve seen “cryptoextortion”, in which companies’ files are rendered useless through encryption, and are unlocked only after payment of a ransom. Even just general disruption to IT systems can be serious: what would the impact to a business be of having no website or email for just a few days?
Our analysis has found that more than 80 per cent of successful cyberattacks target basic weaknesses in IT systems. Businesses are being exploited because they haven’t taken simple steps to protect themselves. In effect, criminals are walking in through an unlocked front door.
It’s actually fairly easy to get the basics in place – even absolute beginners can do it – but not enough businesses are taking action to protect themselves.
This is why the government worked with industry to develop the Cyber Essentials scheme. Cyber Essentials shows how to address those basic vulnerabilities that are commonly exploited. Government suppliers are now required to have a Cyber Essentials certificate in order to sell goods and services to government.
Cyber crime is perhaps one of the greatest threats to national security, which is why we are taking the necessary steps to protect businesses and customers.
We need to get real about the threat. I want all businesses operating online to have Cyber Essentials, as a minimum. Many should do even more, but every business should have the basics in place.
The government’s Cyber Streetwise campaign urges all small businesses and consumers to use strong passwords, instal security software and always download software updates.
This is a great start for all small businesses. Firms can also use our free guide What You Need to Know About Cyber Security and train their staff using our range of free online training modules. All government staff are required to complete this training and I’d like to see all staff in businesses do so, too.
Protecting personal data is a legal responsibility for businesses under the Data Protection Act. Taking action on cyber security is not just the right thing to do, it’s also what customers expect. The public is increasingly interested in how its data are used and stored. The latest research suggests 83 per cent of consumers are concerned about which businesses have access to their data and whether they are safe, with over half (58 per cent) saying a cyber breach would discourage them from using a business in the future.
Entrepreneurs and start-ups – particularly those with innovative ideas and intellectual property to protect – may be particularly vulnerable, given their organisations are likely to be new and yet to develop a mature approach to security. We need to protect our knowledge and intellectual property, as this is a key strength that sets the UK apart from others. Earlier this year, when I met the Catapult Centres – the UK’s innovation centres to help drive growth and innovation in critical areas – I said I’d like them all to have Cyber Essentials by the end of the year.
So, where are we now? The changes we’ve put in place during the past five years as part of the £860m National Cyber Security Programme have transformed industry awareness and action.
A wide range of guidance and support is now available: 58 per cent of the top UK firms have used the government’s 10 Steps to Cyber Security guidance (up from 40 per cent in 2013) and 88 per cent now include cyber security in their risk register (up from 58 per cent in 2013). There is also increased capability in law enforcement to tackle the threat. To build on this, the Chancellor recently announced a further £1.9bn investment in cyber security to make the UK one of the best-protected countries in the world.
Awareness and action are increasing. But the government can’t do it alone: business leaders need to play their part and ensure they protect the companies they have worked so hard to build. Only by doing this together can we fully realise the benefits of the digital economy.
Ed Vaizey has served as Minister for the Digital Economy since 2014 and is the MP for Didcot and Wantage (Conservative).